CVE-2025-22526 – WordPress PHP/MySQL CPU performance statistics Plugin <= 1.2.1 - PHP Object Injection vulnerability

https://notcve.org/view.php?id=CVE-2025-22526

14 Mar 2025 — Deserialization of Untrusted Data vulnerability in NotFound PHP/MySQL CPU performance statistics allows Object Injection. This issue affects PHP/MySQL CPU performance statistics: from n/a through 1.2.1. The PHP/MySQL CPU performance statistics plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable ... • https://patchstack.com/database/wordpress/plugin/mywebtonet-performancestats/vulnerability/wordpress-php-mysql-cpu-performance-statistics-plugin-1-2-1-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •